T1185

Browser Session Hijacking

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user behaviors, and intercept information as part of various browser session hijacking techniques. A specific example is when an adversary injects software into a browser process that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user, then uses the browser as a pivot into an authenticated intranet. Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights. Another technique involves redirecting browser traffic through an adversary-controlled proxy injected into the browser process, allowing session impersonation without modifying user-visible traffic. Malware families such as TrickBot, Dridex, IcedID, QakBot, and Cobalt Strike implement browser pivoting and web inject techniques to steal banking credentials, session tokens, and SSL certificates.

Microsoft Sentinel / Defender

kusto

let BrowserProcesses = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "microsoftedge.exe", "brave.exe", "opera.exe", "safari.exe"]);
let KnownGoodInjectors = dynamic(["MsMpEng.exe", "csrss.exe", "werfault.exe", "WerFaultSecure.exe", "dwm.exe", "taskmgr.exe"]);
// === Detection 1: Process injection into browser processes ===
let BrowserInjection = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in ("CreateRemoteThreadApiCall", "WriteProcessMemoryApiCall", "SetThreadContextRemoteApiCall", "QueueUserApcRemoteApiCall", "OpenProcessApiCall")
| where FileName in~ (BrowserProcesses)
| where InitiatingProcessFileName !in~ (BrowserProcesses)
| where InitiatingProcessFileName !in~ (KnownGoodInjectors)
| extend InjectionMethod = case(
    ActionType == "CreateRemoteThreadApiCall", "Remote thread injection",
    ActionType == "WriteProcessMemoryApiCall", "Memory write injection",
    ActionType == "SetThreadContextRemoteApiCall", "Thread context hijacking",
    ActionType == "QueueUserApcRemoteApiCall", "APC queue injection",
    ActionType == "OpenProcessApiCall", "Suspicious process handle open",
    "Unknown injection"
)
| project Timestamp, DeviceName, AccountName, DetectionSource="ProcessInjection",
         InjectionMethod, TargetBrowser=FileName,
         InjectorProcess=InitiatingProcessFileName,
         InjectorCommandLine=InitiatingProcessCommandLine,
         InjectorParent=InitiatingProcessParentFileName;
// === Detection 2: Suspicious DLL loads inside browser processes ===
let SuspiciousBrowserDllLoads = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (BrowserProcesses)
| where not(FolderPath has_any (
    "\\Google\\Chrome\\", "\\Mozilla Firefox\\", "\\Microsoft\\Edge\\",
    "\\Windows\\System32\\", "\\Windows\\SysWOW64\\", "\\Windows\\WinSxS\\",
    "\\Program Files\\Google\\", "\\Program Files (x86)\\Mozilla\\",
    "\\Program Files\\Microsoft\\", "\\Program Files (x86)\\Microsoft\\"
))
| where not(FileName has_any ("d3d", "opengl", "vulkan", "nvidia", "amd", "intel"))
| project Timestamp, DeviceName, AccountName, DetectionSource="SuspiciousDllLoad",
         InjectionMethod="Reflective/manual DLL load in browser",
         TargetBrowser=InitiatingProcessFileName,
         InjectorProcess=FileName,
         InjectorCommandLine=FolderPath,
         InjectorParent=InitiatingProcessParentFileName;
// === Combine and surface ===
BrowserInjection
| union SuspiciousBrowserDllLoads
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Access Module: Module Load Microsoft Defender for Endpoint DeviceEvents Microsoft Defender for Endpoint DeviceImageLoadEvents

Required Tables

DeviceEvents DeviceImageLoadEvents

False Positives

Screen reader and accessibility software (NVDA, JAWS, ZoomText) that legitimately hook into browser processes to read on-screen content
Password manager browser extensions with companion desktop agents (1Password, LastPass desktop app) that access browser process memory for autofill
Security products with browser integration features (some DLP agents, Netskope, Zscaler client) that inject helper modules into browsers
Crash reporting and debugging tools (Visual Studio debugger, Process Monitor) opening handles to browser processes during development or troubleshooting
Endpoint detection products performing memory scanning may trigger OpenProcessApiCall events against browser processes during scheduled scans

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(EventCode=8 OR EventCode=10 OR EventCode=7)
(
  TargetImage="*\\chrome.exe" OR TargetImage="*\\msedge.exe" OR
  TargetImage="*\\firefox.exe" OR TargetImage="*\\iexplore.exe" OR
  TargetImage="*\\brave.exe" OR TargetImage="*\\opera.exe" OR
  TargetImage="*\\microsoftedge.exe"
)
NOT (
  SourceImage="*\\chrome.exe" OR SourceImage="*\\msedge.exe" OR
  SourceImage="*\\firefox.exe" OR SourceImage="*\\MsMpEng.exe" OR
  SourceImage="*\\WerFault.exe" OR SourceImage="*\\csrss.exe" OR
  SourceImage="*\\dwm.exe"
)
| eval InjectionType=case(
    EventCode=8, "CreateRemoteThread in browser",
    EventCode=10 AND match(GrantedAccess, "0x1[Ff][0-9A-Fa-f]+"), "Full-access process handle to browser",
    EventCode=10 AND match(GrantedAccess, "0x[0-9A-Fa-f]*3[89AB][0-9A-Fa-f]*"), "VM Read/Write handle to browser",
    EventCode=10, "ProcessAccess to browser",
    EventCode=7, "DLL injection candidate",
    true(), "Unknown"
)
| eval IsHighRisk=if(EventCode=8 OR (EventCode=10 AND match(GrantedAccess, "0x1[Ff][0-9A-Fa-f]+")), 1, 0)
| eval SourceProcess=coalesce(SourceImage, Image)
| eval TargetProcess=coalesce(TargetImage, "n/a")
| table _time, host, User, EventCode, InjectionType, IsHighRisk,
        SourceProcess, TargetProcess, GrantedAccess, CallTrace, StartFunction
| sort - IsHighRisk, - _time

high severity high confidence

Data Sources

Process: Process Access Process: Process Creation Module: Module Load Sysmon Event ID 8 (CreateRemoteThread) Sysmon Event ID 10 (ProcessAccess) Sysmon Event ID 7 (ImageLoad)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Screen reader and accessibility software (NVDA, JAWS) that legitimately hook browser processes for content reading
Password manager desktop agents opening read handles to browsers for autofill synchronization
Security products with browser protection modules (DLP agents, SSO clients) that load helper DLLs into browser context
Developer debugging sessions using Visual Studio or WinDbg attaching to browser processes for front-end debugging
Electron-based applications that embed Chromium may show similar EventCode=10 patterns when managing their embedded browser engine

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "brave.exe", "opera.exe", "microsoftedge.exe") and
   event.action == "start"]
  [process where event.action in ("access", "ptrace") and
   target.process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "brave.exe", "opera.exe", "microsoftedge.exe") and
   not process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "MsMpEng.exe", "WerFault.exe", "csrss.exe", "dwm.exe", "taskmgr.exe")]

OR

sequence by host.id, process.pid with maxspan=2m
  [process where process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "brave.exe", "opera.exe") and event.type == "start"]
  [library where process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "brave.exe", "opera.exe") and
   not dll.path : (
     "?:\\Program Files\\Google\\Chrome\\*",
     "?:\\Program Files\\Mozilla Firefox\\*",
     "?:\\Program Files\\Microsoft\\Edge\\*",
     "?:\\Windows\\System32\\*",
     "?:\\Windows\\SysWOW64\\*",
     "?:\\Windows\\WinSxS\\*"
   ) and
   not dll.name : ("d3d*.dll", "opengl*.dll", "nvoglv*.dll", "atig6*.dll", "ig*.dll")]

high severity medium confidence

Data Sources

Windows Sysmon (event.action process access/ptrace) Endpoint agent with DLL/library load events Elastic Endpoint Security or Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.library-* winlogbeat-*

False Positives

Security tools such as CrowdStrike Falcon sensor or Carbon Black may legitimately access browser processes for monitoring purposes
Screen recording or accessibility software (e.g., Zoom, screen readers) may load DLLs into browser processes
Browser extensions distributed as standalone DLLs loaded from non-default paths
Development/debugging tools like Visual Studio or WinDbg attaching to browsers during web development
Password managers with browser integration loading helper DLLs from custom paths

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS User,
  hostname AS Host,
  QIDNAME(qid) AS EventName,
  "SourceImage" AS InjectorProcess,
  "TargetImage" AS TargetBrowser,
  "GrantedAccess" AS AccessMask,
  CATEGORYNAME(category) AS Category,
  logsourcename(logsourceid) AS LogSource
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
  AND (
    (qid IN (
      SELECT qid FROM QIDMap WHERE qidname ILIKE '%CreateRemoteThread%'
        OR qidname ILIKE '%ProcessAccess%'
        OR qidname ILIKE '%ImageLoad%'
    ))
    OR ("EventID" IN ('8', '10', '7'))
  )
  AND (
    "TargetImage" ILIKE '%\\chrome.exe'
    OR "TargetImage" ILIKE '%\\msedge.exe'
    OR "TargetImage" ILIKE '%\\firefox.exe'
    OR "TargetImage" ILIKE '%\\iexplore.exe'
    OR "TargetImage" ILIKE '%\\brave.exe'
    OR "TargetImage" ILIKE '%\\opera.exe'
    OR "TargetImage" ILIKE '%\\microsoftedge.exe'
  )
  AND NOT (
    "SourceImage" ILIKE '%\\chrome.exe'
    OR "SourceImage" ILIKE '%\\msedge.exe'
    OR "SourceImage" ILIKE '%\\firefox.exe'
    OR "SourceImage" ILIKE '%\\MsMpEng.exe'
    OR "SourceImage" ILIKE '%\\WerFault.exe'
    OR "SourceImage" ILIKE '%\\csrss.exe'
    OR "SourceImage" ILIKE '%\\dwm.exe'
    OR "SourceImage" ILIKE '%\\taskmgr.exe'
  )
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon for Windows (forwarded via WinCollect or syslog) Windows Event Forwarding to QRadar

Required Tables

events

False Positives

Endpoint security agents (e.g., Symantec, McAfee, Trend Micro) legitimately access browser processes
Application performance monitoring tools that attach to browser processes
Browser developer tools or remote debugging sessions
Legitimate browser automation frameworks such as Selenium WebDriver
IT management agents performing inventory or patch management tasks

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon ("EventCode=8" OR "EventCode=10" OR "EventCode=7")
| parse regex "<EventID>(?<EventCode>\d+)<\/EventID>"
| parse regex "TargetImage>(?<TargetImage>[^<]+)<" nodrop
| parse regex "SourceImage>(?<SourceImage>[^<]+)<" nodrop
| parse regex "ImageLoaded>(?<ImageLoaded>[^<]+)<" nodrop
| parse regex "GrantedAccess>(?<GrantedAccess>[^<]+)<" nodrop
| parse regex "User>(?<User>[^<]+)<" nodrop
| where (TargetImage matches "*\\chrome.exe"
      OR TargetImage matches "*\\msedge.exe"
      OR TargetImage matches "*\\firefox.exe"
      OR TargetImage matches "*\\iexplore.exe"
      OR TargetImage matches "*\\brave.exe"
      OR TargetImage matches "*\\opera.exe"
      OR TargetImage matches "*\\microsoftedge.exe")
      OR (EventCode = "7" AND (ImageLoaded matches "*\\chrome.exe" OR ImageLoaded matches "*\\firefox.exe" OR ImageLoaded matches "*\\msedge.exe"))
| where NOT (SourceImage matches "*\\chrome.exe"
          OR SourceImage matches "*\\msedge.exe"
          OR SourceImage matches "*\\firefox.exe"
          OR SourceImage matches "*\\MsMpEng.exe"
          OR SourceImage matches "*\\WerFault.exe"
          OR SourceImage matches "*\\csrss.exe"
          OR SourceImage matches "*\\dwm.exe"
          OR SourceImage matches "*\\taskmgr.exe")
| eval InjectionType = if(EventCode = "8", "CreateRemoteThread in browser",
    if(EventCode = "10", "ProcessAccess to browser",
    if(EventCode = "7", "Suspicious DLL load in browser", "Unknown")))
| eval IsHighRisk = if(EventCode = "8", "true",
    if(EventCode = "10" AND GrantedAccess matches "0x1[Ff]*", "true", "false"))
| fields _messageTime, _sourceHost, User, EventCode, InjectionType, IsHighRisk, SourceImage, TargetImage, GrantedAccess, ImageLoaded
| sort by IsHighRisk desc, _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic with Sysmon data collected via Installed Collector Windows Event Log source with Sysmon/Operational channel Sumo Logic Cloud-to-Cloud for Windows endpoints

Required Tables

windows/sysmon source category

False Positives

Antivirus or EDR solutions with behavior monitoring that access browser processes
Browser-based screen sharing tools loading helper DLLs
Legitimate software with browser integration such as LastPass or 1Password extensions
Developer debugging sessions with process attachment
Remote administration tools that leverage browser processes for UI interaction

Google Chronicle / SecOps

yaral

rule t1185_browser_session_hijacking {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects browser session hijacking via process injection or DLL load into browser processes"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1185"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Detection 1: CreateRemoteThread into browser
    $inject.metadata.event_type = "PROCESS_INJECTION"
    $inject.target.process.file.full_path = /(?i)(chrome|msedge|firefox|iexplore|brave|opera|microsoftedge)\.exe$/
    not $inject.principal.process.file.full_path = /(?i)(chrome|msedge|firefox|MsMpEng|WerFault|csrss|dwm|taskmgr)\.exe$/
    $inject.principal.hostname = $host

  OR

    // Detection 2: Suspicious library load inside browser process
    $load.metadata.event_type = "PROCESS_MODULE_LOAD"
    $load.principal.process.file.full_path = /(?i)(chrome|msedge|firefox|iexplore|brave|opera)\.exe$/
    not $load.target.file.full_path = /(?i)(Program Files\\(Google\\Chrome|Mozilla Firefox|Microsoft\\Edge)|Windows\\(System32|SysWOW64|WinSxS))/
    not $load.target.file.full_path = /(?i)(d3d|opengl|vulkan|nvidia|amd|intel)/
    $load.principal.hostname = $host

  condition:
    $inject or $load
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry forwarded to Chronicle (via forwarder or ingestion API) Windows Defender for Endpoint via Chronicle integration CrowdStrike Falcon data ingested into Chronicle

Required Tables

UDM events with metadata.event_type PROCESS_INJECTION UDM events with metadata.event_type PROCESS_MODULE_LOAD

False Positives

Legitimate security software accessing browser processes for scanning or monitoring
Browser developer extensions that load DLLs from custom installation paths
Third-party password managers or accessibility tools with browser integration
Automated testing frameworks using browser instrumentation APIs
Update managers or software distribution agents that access browser processes

CrowdStrike LogScale (CQL)

cql

// Detection 1: Suspicious process injection into browser processes
#event_simpleName = "CreateRemoteThreadV2" OR #event_simpleName = "WriteProcessMemory" OR #event_simpleName = "SetThreadContext"
| TargetImageFileName = /(?i)(chrome|msedge|firefox|iexplore|brave|opera|microsoftedge)\.exe$/
| SourceImageFileName != /(?i)(chrome|msedge|firefox|MsMpEng|WerFault|WerFaultSecure|csrss|dwm|taskmgr)\.exe$/
| eval InjectionMethod = case(
    #event_simpleName = "CreateRemoteThreadV2", "Remote thread injection",
    #event_simpleName = "WriteProcessMemory", "Memory write injection",
    #event_simpleName = "SetThreadContext", "Thread context hijacking",
    "Unknown"
)
| table _time, ComputerName, UserName, InjectionMethod, SourceImageFileName, TargetImageFileName, TargetProcessId, SourceProcessId
| sort _time desc

// Detection 2: Suspicious DLL loads inside browser processes (union)
OR

#event_simpleName = "ClassifiedModuleLoad"
| ImageFileName = /(?i)(chrome|msedge|firefox|iexplore|brave|opera)\.exe$/
| NOT ModuleFilePath = /(?i)(\\Program Files\\(Google\\Chrome|Mozilla Firefox|Microsoft\\Edge)|\\Windows\\(System32|SysWOW64|WinSxS))/
| NOT ModuleFilePath = /(?i)(d3d|opengl|vulkan|nvog|atig|ig[0-9])/
| eval InjectionMethod = "Suspicious module load in browser"
| table _time, ComputerName, UserName, InjectionMethod, ImageFileName, ModuleFilePath, ModuleImageFilePath
| sort _time desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike LogScale (formerly Humio) Falcon Data Replicator (FDR) event stream

Required Tables

Falcon event stream: CreateRemoteThreadV2 Falcon event stream: WriteProcessMemory Falcon event stream: SetThreadContext Falcon event stream: ClassifiedModuleLoad

False Positives

CrowdStrike sensor itself may generate events when performing process inspection for threat detection
Third-party AV or EDR products that co-exist with Falcon and access browser processes
Legitimate browser helper objects or extensions that load as DLLs from custom enterprise software directories
IT operations tooling such as BigFix or Tanium that may access browser process memory for inventory
Browser-based RPA tools that instrument browser processes programmatically

Last updated: 2026-04-20 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1185 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Browser Session Hijacking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Collection

Popular Detections